You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Winantiviruspro And Likely Other Issues

I come to this forum broken from fighting this for 2 weeks now. My sense at this point is that I have multiple issues as I not only get pop-ups but the performance is so slow that it takes 2-3 hours now for most any scan of the system. Though I tried to do all the cleaning suggested on the front end of the posting process, I am not entirely sure everything completed appropriately.

While turning over and deleting WinAntivirus from under every rock I could find, I have run into a number of issues that it is possible that I have made worse along to way...I am at my wits end!

So here is some additional information that may or may not be valuable to you...

1) I believe that I still have WinAntivirus or derivative as I still get the "Microsoft Phishing Filter" pop-up just before the browser gets redirected to some other site. Though this looks like a genuine Microsoft pop-up...I do not think it is.

2) McAffee frequently tells me that it has blocked a potentially unwanted program "Spyware - JuanSearch" and I continually tell McAffee to delete it.

3) To try to stop some of the stuff from loading upon start-up that I thought was slowing the system down, I went into msconfig to stop what I thought was not needed or unknown. There are a couple items in the start-up area that have no information in the item or command areas that I find suspicious. I have not "unchecked" them however as I just do not know what they are. Others that I have "unchecked" include:

* AdStatServ* ccApp* iTuneshelper* mmtask* mnyexpr* msmsgs* qttask* drgtodsc* was7mon* hnihvfjm* Skype - this is still here though I uninstalled Skype* webbuying* norton go back - this is still here though i have tried to uninstall all norton products for mcaffee* hot sync manager - this is still here though I uninstalled this as I no longer have that Palm* microsoft onenote 2003 quick launch* TA_Start* Think-Adz

4) Last I looked at the Task Manager I had 6 svchost.exe processes running.

Here is the HiJack log from late last night (I have not done anything to the system this morning)

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.Apply.Apply and Exit Display properties.

1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,tea

Please make a donation so I can keep helping people just like you.Every little bit helps! You can even use your credit card! Thank you!

Before I place the logs below I thought I would share a few messages that happened along the way here. They may mean nothing but it would be silly to not include the observations just in case it would help you help me...

1) McAffy fired off a couple times saying that it was blocking unwanted software (Adware-zquest and Spyware-JuanSearch). I just told it to close the message as I did not know whether this was something being used by combofix.

2) After I did the initial Control panel-desktop fix stuff, I received a message stating that "Internet Explorer can not find active desktop HTML file. This file is needed for active desktop. To turn off active desktop, click OK"...that is what I did.

3) Spybot activated boxes 7 or 8 times stating that the registry was changing. I allowed each one figuring that it was combofix doing what it does.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:1) Run Spybot-S&D2) Go to the Mode menu, and make sure "Advanced Mode" is selected3) On the left hand side, choose Tools -> Resident4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Navigate to this folder:

C:\Program Files\MSN Gaming Zone

And delete this file, if present:

virto.html

I see Viewpoint installed.Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew in 2006; read this article: http://www.clickz.com/news/article.php/3561546I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint * Viewpoint Manager * Viewpoint Media Player

* Open notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the quote box below into notepad:

File::C:\WINNT\system32\tcsxhbnk.dllC:\WINNT\system32\dhydcfqo.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,tea

Please make a donation so I can keep helping people just like you.Every little bit helps! You can even use your credit card! Thank you!

I see traces of Norton/Symantec in your log, and in your uninstall list. Do you use Norton any more? If not, they are notorious for leaving lots behind when you uninstall it, and they have a tool for that.

I am not able to perform the Java update. Each time I click on the JRE download link on Sun's page I receive "Internet Explorer can not display web page". I have run back at this several times though never get past this point.

As for the performance...I have to give you two answers. The first answer is that the pop-ups are gone and I continue to get clean bills of health from AdAware, Spybot S&D and McAffy Security Center. Second, the speed picked-up TREMENDOUSLY when you had me use the Norton uninstall tool!! What a bonus that was.

Once we figure out how to update Java, I do have a couple more "housekeeping" questions...

1) Do I keep Hijack and Combofix (with the logs created) or should they be deleted?

I was finally able to get back to the Sun site and perform the Java uninstall/reinstall process without a hitch.

I have however continued to get the "Windows Security Alert" that asks if I want to keep blocking Javaw. I was evidently not observant enough when I received that in the past because I never saw where this was coming from. This time I see that it is located at:

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin

Should I get rid of this (though I am not certain how without uninstalling Hewlett-Packard)...tell Windows Security to continue blocking...or allow it?

Other points of interest...

1) I have deleted Combofix and related as discussed though decided to wait on the Hijackthis uninstall in the event you wanted to view another log.

2) msconfig is something I sometimes look at though almost never make changes because I know I can really screw things up. I do have a couple questions that concern me as I look at this...

* General Tab - In my frustration to stop stuff from loading before I came to you, I may have changed this to "Selective Start-up" though I am not certain. Should I leave this or should it be "Normal Start-up".

* Start-up Tab - There are several things here that make me nervous so let me just get this off my chest and tell me whether I should be nervous or not....

- There is one "checked" line that has no information offered in the "Start-up", "Comand", or "Location" area of the table. Seems like something that is supposed to be there would say what it was.

- There are a number of "unchecked" lines (I unchecked sometime ago) that seem to have concerning names though I can not find when I go to the location offered. Some of these names include: AdStatServ, TA_Start, Think-Adz, Webbuying, hnihvfjm (sitypnow) and was7mon (winantivirus 2007).

By doing the "wild card" windows search for the msconf start-up concerns I found:

TA_Start.linkstartup in C:\WINNT\pssThink-Adz.linkstartup in C:\WINNT\pss

So...I went to pss and also deleted NortonGoback and Palm HotSync...only leaving OneNote Quick Launch, boot.ini.backup, system.ini.backup, and win.ini.backup.

None of the other concerns were found through this Windows search process. After emptying recycle and rebooting, the files are gone from the pss folder though they still appear in msconfig start-up (unchecked). I am perplexed...

Had to run this twice as I had walked away from the computer when it was working and missed the message regarding the text file name. It actually put the file in C:\documents and settings\owner\local settings\temp rather than in the folder I created for the Silent Runners zip file on the desktop.

Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 88 seconds.---------- (total run time: 165 seconds)